United States Patent and Trademark Office 



UNITED STATES DEPARTMENT OF COMMERCE 
United States Patent and Trademark Office 
Address: COMMISSIONER FOR PATENTS 
P.O. Box 1450 

Alexandria, Virginia 22313-1450 
www.uspto.gov 



APPLICATION NO. 


FILING DATE 


FIRST NAMED INVENTOR 


ATTORNEY DOCKET NO. 


CONFIRMATION NO. 


09/880,308 


06/13/2001 


Barry J. Glick 


774070-7 


7380 



BRIAN M BERLINER, ESQ 
O'MELVENY & MYERS, LLP 
400 SOUTH HOPE STREET 
LOS ANGELES, CA 90071-2899 



EXAMINER 



KIM, JUNG W 



ART UNIT 



PAPER NUMBER 



2132 



SHORTENED STATUTORY PERIOD OF RESPONSE 



MAIL DATE 



DELIVERY MODE 



3 MONTHS 04/17/2007 PAPER 

Please find below and/or attached an Office communication concerning this application or proceeding. 

If NO period for reply is specified above, the maximum statutory period will apply and will expire 6 MONTHS 
from the mailing date of this communication. 



PTOL-90A (Rev. 10/06) 



Office Action Summarv 


Application No. 

09/880,308 


Applicant(s) 

GLICKETAL 


Examiner 

Jung Kim 


Art Unit 

2132 





- The MAILING DATE of this communication appears on the cover sheet with the correspondence address - 
Period for Reply 



A SHORTENED STATUTORY PERIOD FOR REPLY IS SET TO EXPIRE 3 MONTH(S) OR THIRTY (30) DAYS, 
WHICHEVER IS LONGER, FROM THE MAILING DATE OF THIS COMMUNICATION. 

- Extensions of time may be available under the provisions of 37 CFR 1 .1 36(a). In no event, however, may a reply be timely filed 
after SIX (6) MONTHS from the mailing date of this communication. 

- If NO period for reply is specified above, the maximum statutory period will apply and will expire SIX (6) MONTHS from the mailing date of this communication. 

- Failure to reply within the set or extended period for reply will, by statute, cause the application to become ABANDONED (35 U.S.C. § 1 33). 
Any reply received by the Office later than three months after the mailing date of this communication, even if timely filed, may reduce any 
earned patent term adjustment. See 37 CFR 1.704(b). 

Status 

I) ^ Responsive to communication(s) filed on 1/17/07 . 

2a)D This action is FINAL. 2b)^ This action is non-final. 

3) D Since this application is in condition for allowance except for formal matters, prosecution as to the merits is 

closed in accordance with the practice under Ex parte Quayle, 1935 CD. 11, 453 O.G. 213. 

Disposition of Claims 

4) E3 Claim(s) 49-87 is/are pending in the application. 

4a) Of the above claim(s) is/are withdrawn from consideration. 

5) D Claim(s) is/are allowed. 

6) E3 Claim(s) 49-87 is/are rejected. 

7) D Claim(s) is/are objected to. 

8) D Claim(s) are subject to restriction and/or election requirement. 

Application Papers 

9) D The specification is objected to by the Examiner. 

10)Q The drawing(s) filed on is/are: a)D accepted or b)D objected to by the Examiner. 

Applicant may not request that any objection to the drawing(s) be held in abeyance. See 37 CFR 1 .85(a). 
Replacement drawing sheet(s) including the correction is required if the drawing(s) is objected to. See 37 CFR 1.121(d). 

I I) D The oath or declaration is objected to by the Examiner. Note the attached Office Action or form PTO-152. 

Priority under 35 U.S.C. § 119 

12)D Acknowledgment is made of a claim for foreign priority under 35 U.S.C. § 1 19(a)-(d) or (f). 
a)D All b)Q Some * c)H None of: 

1 .□ Certified copies of the priority documents have been received. 

2. Q Certified copies of the priority documents have been received in Application No. . 

3. Q Copies of the certified copies of the priority documents have been received in this National Stage 

application from the International Bureau (PCT Rule 17.2(a)). 
* See the attached detailed Office action for a list of the certified copies not received. 



Attachment(s) 

1) ^ Notice of References Cited (PTO-892) 

2) [H Notice of Drafts person's Patent Drawing Review (PTO-948) 

3) □ Information Disclosure Statement(s) (PTO/SB/08) 

Paper No(s)/Mail Date . 



4) □ Interview Summary (PTO-413) 

Paper No(s)/Mail Date. . 

5) CD Notice of Informal Patent Application 

6) □ Other: . 



U.S. Patent and Trademark Office 
PTOL-326 (Rev. 08-06) 



Office Action Summary 



Part of Paper No./Mail Date 20070410 



Application/Control Number: 09/880,308 
Art Unit: 2132 



Page 2 



DETAILED ACTION 

1. This Office action is in response to the amendment filed on 1/17/2007. 

2. Claims 49-87 are pending. 

Continued Examination Under 37 CFR 1.114 

3. A request for continued examination under 37 CFR 1.114, including the fee set 
forth in 37 CFR 1 .17(e), was filed in this application after final rejection. Since this 
application is eligible for continued examination under 37 CFR 1.114, and the fee set 
forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action 
has been withdrawn pursuant to 37 CFR 1.114. Applicant's submission filed on 1/17/07 
has been entered. 

Response to Arguments 

4. Applicant's arguments have been considered, but they are not persuasive. 
Applicant argues that Dustan does not disclose a state identifier as provided in the 
independent claims, in particular that the account number disclosed by Dustan does not 
maintain state because the claims require the step of "comparing the subsequently 
transmitted state identifier with the initially transmitted state identifier stored in the 
database, and if there is a match, then associating the second communication with the 
record of the first user session." (Remarks, pg. 11, 2 nd full paragraph). In reply, 
examiner disagrees with applicant's conclusion. As mentioned in a previous office 
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action, applicant's specification identifies the ability to create "state" as the capability to 
"retain a record of a user's prior transactions and utilize that record to more effectively 
serve that user." (pg. 2, 3 rd paragraph). In view of applicant's definition of "state," 
Dustan's use of the account number is consistent with the claimed limitation of a state 
identifier. In Dustan, an account number and password is initially submitted by the 
client to a server, wherein if the account number and password is valid, a session id and 
current time is stored in the client table, associated with the account number. (Figs. 5, 
6; col. 14:20-25; 15:46-51) Moreover, each time that a request is made by the client, 
the server receives the session id and account number and verifies these values with 
those stored in the server's memory. Hence, contrary to applicant's allegations, Dustan 
anticipates the limitation "comparing the subsequently transmitted state identifier with 
the initially transmitted state identifier stored in the database, and if there is a match, 
then associating the second communication with the record of the first user session." 

5. In view of the amendment to the independent claims, applicant's argument that 
Dustan does not disclose a communication method "without the server transmitting to or 
storing on the client any state-related information" is moot in view of the new rejections. 

6. In reply to applicant's argument that MacDoran is not related prior art with the 
instant invention because MacDoran does not disclose using location information as a 
state variable, but rather merely using location information for authentication, applicant's 
argument is not persuasive. Authentication and maintaining state are not mutually 
exclusive practices as known to one of ordinary skill in the art. Instead they are usually 
viewed as overlapping objectives: maintaining state is a necessary feature of 



Application/Control Number: 09/880,308 Page 4 

Art Unit: 2132 

authenticating a client. Without persistent information of an authenticated user, an 
application does not know if the current user is the original authenticated user. 

7. Applicant argues that the combination of the prior art including Fraker is improper 
because the rejection does not show any desirability of using a temporal data in a state 
variable. This argument is not persuasive because Fraker does show it is desirable to 
use temporal data to define location data (4 dimensional space rather than 3 
dimensional space). Because, MacDoran and Denning discloses the desirability of 
using location data in a state variable, and Fraker discloses the desirability of using 
temporal data in location data, the combination of Fraker, Denning, MacDoran and 
Dustan is deemed proper. 

8. Applicant's argument with respect to the rejection of claim 67 is moot in view of 
the new rejection. 

Claim Rejections - 35 USC § 103 

9. Claim 80 is rejected under 35 USC 103(a) as being unpatentable over Dustan et 
al USPN 5,884,312 (hereinafter Dustan) in view of Hoffman USPN 6,460,071 
(hereinafter Hoffman) 

10. As per claim 80 Dustan discloses a method for communicating between a client 
and a server, the server being in communication with a database, comprising: 

a. initiating a user session with the server by communicating from the client 
to the server an initial request message over a stateless network protocol, the 
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message further including a unique, client-generated state identifier, the server 
creating a record in the database associated with the user session with the state 
identifier contained therein (fig. 5, reference nos. 176, 178 and 212, and related 
text; the account number and password is used to "login" the user to maintain a 
user session-this login information enables state to be maintained between the 
user and server); 

b. conducting the user session in which the server provides at least one 
response to the initial request message, and in which any subsequent request 
messages communicated from the client to the server include the same state 
identifier, the server associating the initial request message and the subsequent 
request messages together as part of the user session by verifying 
correspondence with the state identifier contained in the database record; and 
ending the user session (fig. 6); col. 13:60-14:26); 

c. ending the user session by discontinuing communication of further request 
messages from the client to the server and deleting the state identifier from the 
client, (by virtue of terminating the session between the client and server) 

1 1 . Dustan does not disclose the communication between the client and server is 
performed without the server transmitting to or storing on the client any state-related 
information. Hoffman discloses a means of maintaining application state information in 
a stateless environment such that state information is stored in the server without 
transmitting state back to the client browser. (Abstract; col. 2:65-67; 5:9-47) In the 
Hoffman invention, all state information is stored in the server as a client object, 
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whereby information stored as the client object is retrieved via a handle. Therefore, it 
would be obvious to one of ordinary skill in the art at the time the invention was made 
for the communication between the client and server to be performed without the server 
transmitting to or storing on the client any state-related information to avoid the 
particulars of storing state information on the client. See Hoffman, col. 1:17-2:47. The 
aforementioned cover the limitations of claim 80. 

12. Claims 49-52, 56-61, 65, 66, 68-72, 76-78 and 81-87 are rejected under 35 
U.S.C. 103(a) as being unpatentable over Dustan in view of MacDoran et al. USPN 
5,757,916 (hereinafter MacDoran), Denning et al. "Location-Based Authentication: 
Grounding Cyberspace for Better Security." (hereinafter Denning), and Hoffman. 

13. As per claim 49, Dustan discloses a method for maintaining state between a 
client and a server, the server being in communication with a database, comprising: 

d. generating a user ID that identifies the client for a login session with a 
server (fig. 5, reference no. 176 and related text; [account number and 
password]); 

e. transmitting the user ID from the client to the server in an initial 
communication with the server (fig. 5, reference no. 178 and related text); 

f. storing the user ID and a generated session ID in the database in 
association with a record of a first user session with the client (fig. 5, reference 
no. 212); 
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g. transmitting session ID information to the server in a second 
communication with the server(fig. 6, reference no. 234 and related text); and 

h. determining whether the subsequent communication is part of the first 
user session by comparing the subsequently transmitted session ID with the 
initially generated state identifier stored in the database, and if there is a match 
then associating the second communication with the record of the first user 
session (fig. 6, reference no. 236, 238, 240 and 242, and related text). 

14. Dustan does not disclose generating a unique state identifier that contains 
information based on a location value of the client; transmitting the state identifier 
with/or in lieu of the user ID in the initial communication with the server; and transmitting 
the state identifier in subsequent communications with the server. MacDoran discloses 
generating the user ID using geodetic values of the user to identify and authenticate the 
user. These values are derived from signals received using GPS to locate a moving 
user at a specific time (Abstract; col. 2:10-61). MacDoran further discloses the 
desirability of an initial authentication using geodetic location of the user and performing 
subsequent location-based authentication of the remote user. (2:48-54) Moreover, 
MacDoran discloses one of the advantages of using geodetic values is that it makes 
"spoofing" of the host device very difficult (1 :7-2:7). To further establish a basis for 
motivation to combine the teachings of Dustan and MacDoran, the disclosure of 
Denning teaches "[authentication through geodetic location has many benefits[; i]t can 
be performed continuously so that a connection cannot be hijacked ... location based 
authentication [is] a good technique to use in conjunction with single sign-on" 
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(username and password), and further discloses "[t]he use of geodetic location can 
supplement or complement other methods of authentication." (pg. 13, 2 nd and 5 th 
paragraphs) Therefore, it would be obvious to one ordinary skill in the art at the time the 
invention was made to generate a unique state identifier that contains information based 
on the client location at a specific time, and transmitting the state identifier from the 
client in the initial communication with the server; and transmitting the state identifier in 
subsequent communications with the server; wherein the subsequent communication is 
matched to the initial communication when the initially transmitted state identifier 
matches the subsequently transmitted state identifier. One would be motivated to do so 
since it enhances the prevention of access to the sensitive information by unauthorized 
users and prevents the communication from being hijacked (MacDoran and Denning, 
ibid). 

15. Finally, Dustan does not disclose the communication between the client and 
server is performed without the server transmitting to or storing on the client any state- 
related information. Hoffman discloses a means of maintaining application state 
information in a stateless environment such that state information is stored in the server 
without transmitting state back to the client browser. (Abstract; col. 2:65-67; 5:9-47) In 
the Hoffman invention, all state information is stored in the server as a client object, 
whereby information stored as the client object is retrieved via a handle. Therefore, it 
would be obvious to one of ordinary skill in the art at the time the invention was made 
for the communication between the client and server to be performed without the server 
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transmitting to or storing on the client any state-related information to avoid the 
particulars of storing state information on the client. See Hoffman, col. 1:17-2:47. 
The aforementioned cover the limitations of claim 49. 

16. As per claim 50, the rejection of claim 49 under 35 U.S.C. 103(a) is incorporated 
herein, (supra) In addition, the generating step further comprises generating the state 
identifier based on a location value that corresponds to the location of the client 
(MacDoran, col. 2:35-40). 

17. As per claim 51, the rejection of claim 49 under 35 U.S.C. 103(a) is incorporated 
herein, (supra) In addition, the generating step further comprises generating the state 
identifier based on a location value that includes a latitude and longitude dimension 
(MacDoran, col. 2:13-14). 

18. As per claim 52, the rejection of claim 51 under 35 U.S.C. 103(a) is incorporated 
herein, (supra) In addition, the generating step further comprises generating the state 
identifier based on a location value that further includes an altitude dimension 
(MacDoran, col. 2:13-14). 

19. As per claim 56, the rejection of claim 49 under 35 U.S.C. 103(a) is incorporated 
herein, (supra) In addition, the method further comprising the step of deriving an 
anonymous user ID from a state identifier (Dustan, col. 9:4-7; 18:14-22; 19:53-56). 
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20. As per claim 57, the rejection of claim 56 under 35 U.S.C. 103(a) is incorporated 
herein, (supra) In addition, the deriving step further comprises mathematically 
encoding a state identifier into the anonymous user ID (Dustan, col. 9:4-7; 18:14-22; 
19:53-56). 

21 . As per claims 58-61 and 65, they are claims corresponding to claims 49-52, 56 
and 57, and they do not teach or define above the information claimed in claims 49-52, 
56 and 57. Therefore, claims 58-61 and 65 are rejected as being unpatentable over 
Dustan in view of MacDoran, Denning and Hoffman for the same reasons set forth in 
the rejections of claims 49-52, 56 and 57. 

22. As per claim 66, Dustan discloses an apparatus for facilitating interaction 
between a user and a web application operating on a remote server, comprising: 

i. a memory (fig. 1; reference no. 24); and 

j. a processor electrically connected to the memory (fig. 1 , reference no. 24) 
and adapted to: 

i. transmit a user ID, in association with a first user session between 
the user and the web application, wherein the server generates, then 
stores a session id based on the user ID and transmits the session id to 
the user (fig. 5, reference nos. 176 and 178 and related text); 
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ii. store the session ID in the memory (fig. 5, reference no. 216 and 
related text; col. 10:40-44); 

iii. transmit a request to the server and include the session ID in the 
request if the request is part of the first user session (fig. 6, reference no. 
234 and related text); and 

iv. alternatively require submission of a new user ID and include the 
new user ID in the request if the request is part of a new user session (fig. 
5, reference no. 174; fig. 6, reference no. 240 and related text). 

23. Dustan does not disclose generating a unique state identifier that contains 
information based on a location value of the client; transmitting the state identifier 
with/or in lieu of the user ID in the initial communication with the server; transmitting the 
state identifier in subsequent communications with the server; and alternatively 
generate a new state identifier and include the new state identifier in the request if the 
request is part of the new user session. MacDoran discloses generating the user ID 
using geodetic values of the user to identify and authenticate the user. These values 
are derived from signals received using GPS to locate a moving user at a specific time 
(Abstract; col. 2:10-61). MacDoran further discloses the desirability of an initial 
authentication using geodetic location of the user and performing subsequent location- 
based authentication of the remote user. (2:48-54) Moreover, MacDoran discloses one 
of the advantages of using geodetic values is that it makes "spoofing" of the host device 
very difficult (1:7-2:7). To further establish a basis for motivation to combine the 
teachings of Dustan and MacDoran, the disclosure of Denning teaches "[authentication 
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through geodetic location has many benefits[; i]t can be performed continuously so that 
a connection cannot be hijacked ... location based authentication [is] a good technique 
to use in conjunction with single sign-on" (username and password), and further 
discloses "[t]he use of geodetic location can supplement or complement other methods 
of authentication." (pg. 13, 2 nd and 5 th paragraphs) Therefore, it would be obvious to one 
ordinary skill in the art at the time the invention was made to generate a unique state 
identifier that contains information based on the client location at a specific time, and 
transmitting the state identifier from the client in the initial communication with the 
server; and transmitting the state identifier in subsequent communications with the 
server; wherein the subsequent communication is matched to the initial communication 
when the initially transmitted state identifier matches the subsequently transmitted state 
identifier; and alternatively generate a new state identifier and include the new state 
identifier in the request if the request is part of the new user session. One would be 
motivated to do so since it enhances the prevention of access to the sensitive 
information by unauthorized users and prevents the communication from being hijacked 
(MacDoran and Denning, ibid). 

24. Finally, Dustan does not disclose the communication between the client and 
server is performed without the server transmitting to or storing on the client any state- 
related information. Hoffman discloses a means of maintaining application state 
information in a stateless environment such that state information is stored in the server 
without transmitting state back to the client browser. (Abstract; col. 2:65-67; 5:9-47) In 
the Hoffman invention, all state information is stored in the server as a client object, 
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whereby information stored as the client object is retrieved via a handle. Therefore, it 
would be obvious to one of ordinary skill in the art at the time the invention was made 
for the communication between the client and server to be performed without the server 
transmitting to or storing on the client any state-related information to avoid the 
particulars of storing state information on the client. See Hoffman, col. 1:17-2:47. The 
aforementioned cover the limitations of claim 66. 

25. As per claim 67, the rejection of claim 67 under 35 USC 103(a) is incorporated 
herein, (supra) In addition, the apparatus further comprising a web-browser 
application, wherein the processor is further adapted to delete the state identifier from 
memory when the web-browser application is closed. (Dustan, col. 19:32-60) 

26. As per claim 68, the rejection of claim 66 under 35 U.S.C. 103(a) is incorporated 
herein, (supra) In addition, the processor is further adapted to store the new state 
identifier in the memory if the request is part of a new user session (Dustan, fig. 5, 
reference no. 216 and related text). 

27. As per claim 69, the rejection of claim 68 under 35 U.S.C. 1 03(a) is incorporated 
herein, (supra) In addition, the processor is further adapted to replace the state 
identifier in the memory with the new state identifier if the request is part of a new user 
session (Dustan, fig. 5, reference no. 216; fig. 6, reference no. 240). 
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28. As per claim 70, Dustan discloses a method for communicating between a client 
and a server, comprising: 

k. generating a state ID (fig. 5, reference no. 212 and related text); 

I. incorporating the state ID into a communication (fig. 6, reference nos. 232 

and 234, and related text); 

m. sending the communication to the server (fig. 6, reference no. 232 and 
related text); 

n. comparing the state ID to information stored in a database, the database 
being in communication with and accessible by the server (fig. 6, reference no. 
236 and related text); 

o. identifying the communication as part of a previous session if there is 
coincidence between the state ID and information stored in the database (fig. 6 ( 
reference no. 238 and 242, and related text); and 

p. identifying the communication as part of a new session if there is no 
coincidence between the state ID and information stored in the database (fig. 6, 
reference no. 238 and 240, and related text). 

29. Dustan does not disclose generating the ID based on the location of the client. 
MacDoran discloses generating the user ID using geodetic values of the user to identify 
and authenticate the user. These values are derived from signals received using GPS 
to locate a moving user at a specific time (Abstract; col. 2:10-61). MacDoran further 
discloses the desirability of an initial authentication using geodetic location of the user 
and performing subsequent location-based authentication of the remote user. (2:48-54) 
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Moreover, MacDoran discloses one of the advantages of using geodetic values is that it 
makes "spoofing" of the host device very difficult (1 :7-2:7). To further establish a basis 
for motivation to combine the teachings of Dustan and MacDoran, the disclosure of 
Denning teaches "[authentication through geodetic location has many benefits[; i]t can 
be performed continuously so that a connection cannot be hijacked ... location based 
authentication [is] a good technique to use in conjunction with single sign-on" 
(username and password), and further discloses "[t]he use of geodetic location can 
supplement or complement other methods of authentication." (pg. 13, 2 nd and 5 th 
paragraphs) Therefore, it would be obvious to one ordinary skill in the art at the time the 
invention was made to generate the state ID based on the location of the client. One 
would be motivated to do so since it enhances the prevention of access to the sensitive 
information by unauthorized users and prevents the communication from being hijacked 
(MacDoran and Denning, ibid). 

30. Dustan does not disclose the communication between the client and server is 
performed without the server transmitting to or storing on the client any state-related 
information. Hoffman discloses a means of maintaining application state information in 
a stateless environment such that state information is stored in the server without 
transmitting state back to the client browser. (Abstract; col. 2:65-67; 5:9-47) In the 
Hoffman invention, all state information is stored in the server as a client object, 
whereby information stored as the client object is retrieved via a handle. Therefore, it 
would be obvious to one of ordinary skill in the art at the time the invention was made 
for the communication between the client and server to be performed without the server 
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transmitting to or storing on the client any state-related information to avoid the 
particulars of storing state information on the client. See Hoffman, col. 1:17-2:47. The 
aforementioned cover the limitations of claim 70. 

31. As per claim 71 , the rejection of claim 70 under 35 U.S.C. 103(a) is incorporated 
herein, (supra) In addition, the generating step further comprises generating the user 
state ID based on a location value that includes a latitude and longitude dimension 
(MacDoran, col. 2:13-14). 

32. As per claim 72, the rejection of claim 71 under 35 U.S.C. 103(a) is incorporated 
herein, (supra) In addition, the step of generating a user ID further comprises 
generating the state ID based on a location value that further includes an altitude 
dimension (MacDoran, col. 2:13-14). 

33. As per claim 76, the rejection of claim 70 under 35 U.S.C. 103(a) is incorporated 
herein, (supra) In addition, the step of generating a state ID further comprises 
generating the state ID from location data acquired from a GPS receiver (MacDoran, fig. 
1 , reference no. 1 03 and related text). 

34. As per claim 77, the rejection of claim 70 under 35 U.S.C. 103(a) is incorporated 
herein, (supra) In addition, the method further comprises deleting the state ID upon 
completion of the previous session (Dustan, fig. 7, reference no. 300 and related text). 
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35. As per claim 78, the rejection of claim 70 under 35 U.S.C. 103(a) is incorporated 
herein, (supra) In addition, Dustan discloses logging user activity in a log table 
including the data and time of user logon and log off, and all of the individual request 
made by a user during a session (col. 13:10-28). Information identifying these events to 
a single user requires logging a user identifier. The state ID is the obvious choice since 
it uniquely identifies the user and the communication. Therefore, it would be obvious to 
one of ordinary skill in the art at the time the invention was made to maintain at least a 
portion of the state identifier upon completion of the previous session. One would be 
motivated to do so since this enables logged actions to be traced to a specific user in an 
audit report. 

36. As per claims 81-83 and 87, they are claims corresponding to claims 49-52, 56 
and 57, and they do not teach or define above the information claimed in claims 49-52, 
56 and 57. Therefore, claims 81-83 and 87 are rejected as being unpatentable over 
Dustan in view of MacDoran and Denning for the same reasons set forth in the 
rejections of claims 49-52, 56 and 57. 

37. Claims 53-55, 62-64 and 73-75 are rejected under 35 U.S.C. 103(a) as being 
unpatentable over Dustan in view of MacDoran, Denning and Hoffman, and further in 
view of Fraker et al. USPN 5,919,239 (hereinafter Fraker). 



Application/Control Number: 09/880,308 Page 1 8 

Art Unit: 2132 

38. As per claims 53 and 54, the rejection of claim 49 under 35 U.S.C. 103(a) is 
incorporated herein, (supra) Although Dustan does not expressly disclose generating 
the state ID based on a temporal value that corresponds to the creation of a state ID, 
the generation of an state ID based on the geographic location of the user as taught by 
MacDoran is derived by the location of a user at a specific time. Moreover, this idea of 
associating a time value with the location values is also taught by Fraker, wherein the 
time of the position data is gathered along with the position data and stored with the 
position data (fig. 5, reference nos. 310 and 312, and related text). Because the time of 
deriving the geographic location is critical to identify a user's location, it would be 
obvious to one of ordinary skill in the art at the time the invention was made for the state 
ID to be based on a temporal value corresponding to the creation of the state ID; a 
temporal value identifies when the location of the user was determined for proper 
authentication of the user. The aforementioned cover the limitations of claims 53 and 
54. 

39. As per claim 55, the rejections of claim 53 under 35 U.S.C. 103(a) is incorporated 
herein, (supra) In addition, having the temporal value correspond to the invocation of 
an Internet browser session is an obvious enhancement since the state ID is needed 
only when an Internet browser session is established (Dustan, fig. 5, reference no. 176 
and fig. 6, reference no. 234). It would be obvious to one of ordinary skill in the art at 
the time the invention was made for the temporal value to correspond to the invocation 
of an Internet browser session, since the state ID is utilized when a user accesses 
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information from the start of a browser session (Dustan, col. 7:53-62). The 
aforementioned cover the limitations of claim 55. 

40. As per claims 62-64, they are claims corresponding to claims 53-55 and 60, and 
they do not teach or define above the information claimed in claims 53-55 and 60. 
Therefore, claims 62-64 are rejected as being unpatentable over Dustan in view of 
MacDoran, Denning and Fraker for the same reasons set forth in the rejections of 
claims 53-55 and 60. 

41 . As per claims 73-75, they are claims corresponding to claims 53-55 and 70, and 
they do not teach or define above the information claimed in claims 53-55 and 70. 
Therefore, claims 73-75 are rejected as being unpatentable over Dustan in view of 
MacDoran, Denning and Fraker for the same reasons set forth in the rejections of 
claims 53-55 and 70. 

42. As per claims 84-86, they are claims corresponding to claims 53-55, 70 and 80, 
and they do not teach or define above the information claimed in claims 53-55, 70 and 
80. Therefore, claims 84-86 are rejected as being unpatentable over Dustan in view of 
MacDoran, Denning and Fraker for the same reasons set forth in the rejections of 
claims 53-55, 70 and 80. 
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43. Claims 70 is rejected under 35 U.S.C. 103(a) as being unpatentable over Kung 
USPN 5,241 ,594 (hereinafter Kung) in view of MacDoran and Denning. 

44. As per claim 70, Kung discloses a method for maintaining state between a client 
and a server without the server transmitting to or storing on the client any state-related 
information, (col. 4:49-37) comprising: 

q. generating a state identifier that corresponds to a client; incorporating the 
state identifier into a communication; sending the communication to the server 
(5:11-15); 

r. comparing the state identifier to information stored in a database, the 
database being in communication with and accessible by the server; identifying 
the communication as party of a previous session if there is coincidence between 
the state identifier and information stored in the database; and identifying the 
communication as part of a new session if there is no coincidence between the 
state identifier and information stored in the database. (5:15-21) 

45. Dustan does not disclose generating a state identifier that contains information 
based on a location value of the client. MacDoran discloses generating the user ID 
using geodetic values of the user to identify and authenticate the user. These values 
are derived from signals received using GPS to locate a moving user at a specific time 
(Abstract; col. 2:10-61). MacDoran further discloses the desirability of an initial 
authentication using geodetic location of the user and performing subsequent location- 
based authentication of the remote user. (2:48-54) Moreover, MacDoran discloses one 
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of the advantages of using geodetic values is that it makes "spoofing" of the host device 
very difficult (1 :7-2:7) : To further establish a basis for motivation to combine the 
teachings of Dustan and MacDoran, the disclosure of Denning teaches "[authentication 
through geodetic location has many benefits[; i]t can be performed continuously so that 
a connection cannot be hijacked ... location based authentication [is] a good technique 
to use in conjunction with single sign-on" (username and password), and further 
discloses "[tjhe use of geodetic location can supplement or complement other methods 
of authentication." (pg. 13, 2 nd and 5 th paragraphs) Therefore, it would be obvious to one 
ordinary skill in the art at the timethe invention was made to generate a state identifier 
that contains information based on the client location; One would be motivated to do so 
since it enhances the prevention of access to the sensitive information by unauthorized 
users and prevents the communication from being hijacked (MacDoran and Denning, 
ibid). The aforementioned cover the limitations of claim 70. 

46. Claim 79 is rejected under 35 U.S.C. 103(a) as being unpatentable over Kung in 
view of MacDoran and Denning, and further in view of Doeberl et al USPN 6,237,033 
(hereinafter Doeberl). 

47. As per claim 79, the rejection of claim 70 under 35 USC 103(a) as being 
unpatentable over Kung in view of MacDoran and Denning is incorporated herein. Kung 
does not disclose wherein the step of incorporating a state identifier into a 
communication further comprising incorporating the state identifier into a cookie file and 
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incorporating the cookie file into the communications. Doeberl discloses a system for 
managing user-generated cookies and manipulating user information within a cookie 
file, which is easily accessible to a receiving web server. Col. 6:20-7:5; see also, 1:47- 
2:67 and 2:26-47. This facility enables the client to enter unique user state information 
particular to the client. Col. 6:26-34. It would be obvious to one of ordinary skill in the 
art at the time the invention was made for the step of incorporating a state identifier into 
a communication further comprising incorporating the state identifier into a cookie file 
and incorporating the cookie file into the communications. One would be motivated to 
do so to utilize the ease of storing and transmitting personal state information particular 
to the client using cookie sheets. Col. 1:47-2:67 and 2:26-47. The aforementioned 
cover the limitations of claim 79. 

Communications Inquiry 

Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Jung W. Kim whose telephone number is 571-272-3804. 
The examiner can normally be reached on M-F 9:00-5:00. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Gilberto Barron can be reached on 571-272-3799. The fax phone number 
for the organization where this application or proceeding is assigned is 571-273-8300. 
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Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 
Status information for unpublished applications is available through Private PAIR only. 
For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic 
Business Center (EBC) at 866-217-9197 (toll-free). 
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